Rewterz Threat Alert – Spike In Cyber Attacks Linked To Emerging Ransomware Group 8BASE – Active IOCs

Severity

High

Analysis Summary

The 8Base ransomware gang has emerged as a significant threat, targeting organizations globally with double-extortion attacks since the beginning of June. While the group initially operated quietly with few notable attacks since March 2022, their activity has surged in recent months. Various companies across different industries have been targeted, and the gang has employed double extortion tactics, demanding ransom payments and threatening to leak stolen data.

The 8Base gang has established a dark web extortion site where they list their victims. Since its launch in May 2023, the gang has added 35 victims to the site, with some days witnessing the announcement of up to six victims at once. This marks a considerable increase compared to their earlier activity, where only a handful of victims were listed.

The gang presents themselves as “honest and simple” pentesters, claiming to offer companies favorable conditions for data recovery. Their data leak site emphasizes the negligence of targeted companies regarding the privacy and importance of employee and customer data.

According to a report by VMware’s Carbon Black team, the tactics employed by 8Base indicate a possible rebranding of the well-established ransomware group RansomHouse. While RansomHouse claims to focus solely on data sales without engaging in encryption attacks, there have been instances where threat actors associated with RansomHouse have utilized ransomware in their operations, such as White Rabbit or MARIO, which has links to the cybercrime group FIN8.

The similarities between 8Base and RansomHouse are evident in their ransom notes and leak site content, with even the FAQ pages appearing to be copy-pasted. However, it remains unclear whether 8Base is an offshoot of RansomHouse or another ransomware group imitating their established techniques. Such replication among threat actors is not uncommon.

From a technical perspective, 8Base utilizes a modified version of the Phobos v2.9.1 ransomware, which is distributed via SmokeLoader. Phobos, an Ransomware-as-a-Service (RaaS) operation that emerged in 2019, shares code similarities with the Dharma ransomware. The encrypted files in recent 8Base attacks bear the .8base extension, although previous submissions to ID Ransomware using Phobos also featured the .eight extension.

Further investigation by VMware’s analysts revealed that 8Base employs the domain “admlogs25[.]xyz” for hosting their payloads, which is linked to SystemBC, a proxy malware utilized by multiple ransomware groups for command-and-control obfuscation.

While 8Base is gaining attention from analysts, many aspects of its technical capabilities and operations remain unknown. It is evident that the group has been conducting encryption attacks for at least a year, but their recent establishment of a data leak site has brought them into the spotlight.

“Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen. It is interesting that 8Base is nearly identical to RansomHouse and uses Phobos Ransomware. At present, 8Base remains one of the top active ransomware groups this summer (2023)”, they summarize

Impact

• File Encryption
• Information Theft

Indicators of Compromise

Domain Name

• wlaexfpxrs.org
• admhexlogs25.xyz
• admlogs25.xyz
• admlog2.xyz
• dnm777.xyz
• serverlogs37.xyz
• dexblog.xyz
• blogstat355.xyz
• blogstatserv25.xyz

MD5

• 2809e15a3a54484e042fe65fffd17409
• 9769c181ecef69544bbb2f974b8c0e10
• d1f12c03b8ce33b36d8423b057c7d6c5
• e7ac55d61ab9cfcf180c92c1381a2fa1

SHA-256

• 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
• e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
• c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
• afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA-1

• 4a8f0331abaf8f629b3c8220f0d55339cfa30223
• 5d0f447f4ccc89d7d79c0565372195240cdfa25f
• d6d0631a1f95e3972a803ed1c57b120815b2b5cf
• f79fe555c492a9effe26ead87ec7eb3c53899083

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the ransomware. 
• If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
• Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks